Which Security Copilot Agents are available in Microsoft Intune and what are they used for?
Microsoft currently identifies four specialized Security Copilot Agents for Intune. They address different areas of responsibility, ranging from approval processes and device cleanup to policy configuration and vulnerability remediation.
A common characteristic: these agents are designed not to function as a “black box.” Instead, they provide context, recommendations, and prepared outputs, while final decisions remain with the administrator.
Security Copilot Agents at a glance
| Agent |
Description |
Data sources |
Output |
Status |
| Change Review Agent |
Evaluates multi-admin approval requests for PowerShell scripts on Windows devices
|
Intune, Entra ID, Defender Vulnerability Management |
Risk-based approval/rejection recommendation |
Public preview |
| Device Offboarding Agent |
Identifies outdated or inconsistent device objects across Intune and Entra ID |
Intune, Entra ID |
Suggested offboarding actions with admin approval |
Deprecated (since June 1, 2026) |
| Policy Configuration Agent |
Translates requirements or documents into Intune Settings Catalog configurations |
Documents / benchmarks, Intune Settings Catalog |
Policy recommendations and creation |
Windows |
| Vulnerability Remediation Agent |
Prioritizes CVEs and derives remediation actions in Intune |
Defender Vulnerability Management, Intune |
Prioritized remediation actions with step-by-step guidance |
Public preview |
Common prerequisites: Intune Plan 1 • Microsoft Security Copilot • sufficient Security Compute Units (SCUs) • role-based access with least privilege
Security Copilot Agents in detail
1. Change Review Agent
The Change Review Agent supports the evaluation of approval requests in Intune, particularly in scenarios where changes require careful review rather than being automatically approved. It assesses the potential impact of a request and provides a recommendation for action. The main benefit lies in faster risk evaluation: instead of manually tracing changes across multiple consoles and policy layers, administrators receive a consolidated assessment with justification.
2. Device Offboarding Agent
The Device Offboarding Agent addresses a recurring challenge: outdated, inactive, or inconsistent device objects. It identifies mismatches between Intune and Microsoft Entra ID and prepares controlled offboarding actions. Especially in large or historically grown tenants, this helps maintain data quality and improves reporting, compliance evaluations, and security processes.
3. Policy Configuration Agent
Translating requirements into Intune policies often involves documentation work, experience, and trial and error. The Policy Configuration Agent simplifies this process by converting requirements – whether from internal standards, audits, or best practices – into concrete settings. It identifies relevant configurations in the Settings Catalog and proposes suitable values. This enables faster policy creation and more consistent implementation of standards.
4. Vulnerability Remediation Agent
The Vulnerability Remediation Agent strengthens the link between security insights and operational execution. Using data from Microsoft Defender, it prioritizes vulnerabilities and suggests remediation steps. This reduces the gap between identifying security issues and implementing actions in Intune.